路由器和防火墙 pfSense 2.0 正式版发布

jopen 13年前
     <p>pfSense 2.0 基于 FreeBSD 8.1,主要改进包括:增强的 IP 别名、面板和部件、SMTP 和 growl 警报、新的流量取样、7层协议过滤、NAT 引擎和配置的改进、证书管理器、V*N改进、虚拟无线 AP 支持等等。<br /> <img title="pfsense.png" border="0" alt="pfsense.png" src="https://simg.open-open.com/show/30d5038823b637e32bb769fe5e3f42ac.png" width="90" height="90" /><br /> <br /> pfSense是一个FreeBSD下的免费开源的防火墙和路由器软件。</p>    <p>pfSense是源自于m0n0wall的操作系统。它使用的技术包括Packet Filter,FreeBSD 6.x(或DragonFly BSD,假如ALTQ和CARP完成了的话)的ALTQ(以出色地支持分组队列),集成的包管理系统(以为其环境扩展新的特性)。</p>    <p><br /> <span style="font-weight:bold;">项目地址</span>:<a href="/misc/goto?guid=4958196548251107564" target="_blank">http://www.pfsense.com/</a></p>    <p>详细内容如下:</p>    <h3><span class="mw-headline">Operating System </span></h3>    <ul>     <li>Based on FreeBSD 8.1 release.</li>     <li>i386 and amd64 variants for all install types (full install, nanobsd/embedded, etc.)</li>     <li>USB memstick installer images available</li>    </ul>    <a id="Interfaces" name="Interfaces"></a>    <h3><span class="mw-headline">Interfaces </span></h3>    <ul>     <li>GRE tunnels</li>     <li>GIF tunnels</li>     <li>3G support </li>     <li>Dial up modem support</li>     <li>Multi-Link PPP (MLPPP) for bonding PPP connections (ISP/upstream must also support MLPPP)</li>     <li><a title="LAGG Interfaces" href="/misc/goto?guid=4958196549011915938">LAGG Interfaces</a> </li>     <li>Interface groups </li>     <li>IP Alias type Virtual IPs</li>     <li>IP Alias VIPs can be stacked on CARP VIPs to go beyond the 255 VHID limit in deployments that need very large numbers of CARP VIPs.</li>     <li>QinQ VLANs</li>     <li>Can use Block Private Networks / Block Bogon Networks on any interface</li>     <li>All interfaces are optional except WAN</li>     <li>All interfaces can be renamed, even LAN/WAN</li>     <li>Bridging enhancements - can now control all options of if_bridge, and assign bridge interfaces</li>    </ul>    <a id="Gateways.2FMulti-WAN" name="Gateways.2FMulti-WAN"></a>    <h3><span class="mw-headline">Gateways/Multi-WAN </span></h3>    <ul>     <li>Gateways, including dynamic gateways, are specified under System > Routing</li>     <li>Gateways can have custom monitor IPs</li>     <li>Gateways can have a custom weight, allowing load balancing to have ratios between WANs of different speeds</li>     <li>Gateways can have custom latency, loss, and downtime trigger levels.</li>     <li>Gateway monitoring via icmp is now configurable.</li>     <li>You can have multiple gateways per interface</li>     <li>Multi-WAN is now handled via gateway groups</li>     <li>Gateway groups can include multiple tiers with any number of gateways on each, for complex failover and load balancing scenarios.</li>    </ul>    <a id="General_Web_GUI" name="General_Web_GUI"></a>    <h3><span class="mw-headline">General Web GUI </span></h3>    <ul>     <li>Set to HTTPS by default, HTTP redirects to HTTPS port</li>     <li>Dashboard and widgets added</li>     <li>System > Advanced screen split into multiple tabs, more options available. </li>     <li>SMTP email alerts and growl alerts</li>     <li>New default theme - pfsense_ng</li>     <li>Some community-contributed themes added</li>     <li>Contextual help available on every page in the web interface, linking to a webpage containing help and documentation specific to that page. </li>     <li>Help menu for quick access to online resources (forum, wiki, paid support, etc.)</li>    </ul>    <a id="Aliases" name="Aliases"></a>    <h3><span class="mw-headline">Aliases </span></h3>    <ul>     <li>Aliases may be nested (aliases in aliases)</li>     <li>Alias autocomplete is no longer case sensitive</li>     <li>IP Ranges in Aliases</li>     <li>More Alias entries supported</li>     <li>Bulk Alias importing</li>     <li>URL Aliases</li>     <li>URL Table Aliases - uses a pf persist table for large (40,000+) entry lists</li>    </ul>    <a id="Firewall" name="Firewall"></a>    <h3><span class="mw-headline">Firewall </span></h3>    <ul>     <li>Traffic shaper rewritten - now handles any combination of multi-WAN and multi-LAN interfaces. New wizards added. </li>     <li>Layer7 protocol filtering</li>     <li><a title="Adding Rules With easyrule" href="/misc/goto?guid=4958196549744755023">EasyRule - add firewall rules from log view (and from console!)</a> </li>     <li>Floating rules allow adding non-interface specific rules</li>     <li>Dynamically sized state table based on amount of RAM in the system</li>     <li>More Advanced firewall rule options</li>     <li>FTP helper now in kernel</li>     <li>TFTP proxy</li>     <li>Schedule rules are handled in pf, so they can use all the rule options. </li>     <li>State summary view, report shows states grouped by originating IP, destination IP, etc.</li>    </ul>    <a id="NAT" name="NAT"></a>    <h3><span class="mw-headline">NAT </span></h3>    <ul>     <li>All of the NAT screens were updated with additional functionality</li>     <li>Port forwards can now handle create/update associated firewall rules automatically, instead of just creating unrelated entries.</li>     <li>Port forwards can optionally use "rdr pass" so no firewall rule is needed.</li>     <li>Port forwards can be disabled</li>     <li>Port forwards can be negated ("no rdr")</li>     <li>Port forwards can have source and destination filters</li>     <li>NAT reflection improvements, including NAT reflection for 1:1 NAT</li>     <li>Per-entry NAT reflection overrides</li>     <li>1:1 NAT rules can specify a source and destination address</li>     <li>1:1 NAT page redesigned</li>     <li>Outbound NAT can now translate to an address pool (Subnet of IPs or an alias of IPs) of multiple external addresses</li>     <li>Outbound NAT rules can be specified by protocol</li>     <li>Outbound NAT rules can use aliases</li>     <li>Improved generation of outbound NAT rules when switching from automatic to manual.</li>    </ul>    <a id="IPsec" name="IPsec"></a>    <h3><span class="mw-headline">IPsec </span></h3>    <ul>     <li>Multiple IPsec p2's per p1 (multiple subnets)</li>     <li>IPsec xauth support</li>     <li>IPsec transport mode added</li>     <li>IPsec NAT-T</li>     <li>Option to push settings such as IP, DNS, etc, to mobile IPsec clients (mod_cfg)</li>     <li>Mobile IPsec works with iOS and Android (Certain versions, see <a title="Mobile IPsec on 2.0" href="/misc/goto?guid=4958196550481978411">Mobile IPsec on 2.0</a>)</li>     <li>More Phase 1/2 options can be configured, including the cipher type/strength</li>     <li>ipsec-tools version 0.8</li>    </ul>    <a id="User_Manager" name="User_Manager"></a>    <h3><span class="mw-headline">User Manager </span></h3>    <ul>     <li>New user manager, centralizing the various user configuration screens previously available. </li>     <li>Per-page user access permissions for administrative users</li>     <li>Three built-in authentication types - local users, LDAP and RADIUS. </li>     <li>Authentication diagnostics page</li>    </ul>    <a id="Certificate_Manager" name="Certificate_Manager"></a>    <h3><span class="mw-headline">Certificate Manager </span></h3>    <ul>     <li>Certificate manager added, for handling of IPsec, web interface, user, and OpenV*N certificates. </li>     <li>Handles creation/import of Certificate Authorities, Certificates, Certificate Revocation lists.</li>     <li>Eliminates the need for using command line tools such as EasyRSA for managing certificates.</li>    </ul>    <a id="OpenV*N" name="OpenV*N"></a>    <h3><span class="mw-headline">OpenV*N </span></h3>    <ul>     <li>OpenV*N wizard guides through making a CA/Cert and OpenV*N server, sets up firewall rules, and so on. Greatly simplifies the process of creating a remote access OpenV*N server.</li>     <li>OpenV*N filtering - an OpenV*N rules tab is available, so OpenV*N interfaces don't have to be assigned to perform filtering. </li>     <li>OpenV*N client export package - provides a bundled Windows installer with certificates, Viscosity export, and export of a zip file containing the user's certificate and configuration files. </li>     <li>OpenV*N status page with connected client list -- can also kill client connections</li>     <li>User authentication and certificate management</li>     <li>RADIUS and LDAP authentication support</li>    </ul>    <a id="Captive_Portal" name="Captive_Portal"></a>    <h3><span class="mw-headline">Captive Portal </span></h3>    <ul>     <li>Voucher support added</li>     <li>Multi-interface capable</li>     <li>Pass-through MAC bandwidth restrictions</li>     <li>Custom logout page contents can be uploaded</li>     <li>Allowed IP addresses bandwidth restrictions</li>     <li>Allowed IP addresses supports IP subnets</li>     <li>"Both" direction added to Allowed IP addresses</li>     <li>Pass-through MAC Auto Entry - upon successful authentication, a pass-through MAC entry can be automatically added.</li>     <li>Ability to configure calling station RADIUS attributes</li>    </ul>    <a id="Wireless" name="Wireless"></a>    <h3><span class="mw-headline">Wireless </span></h3>    <ul>     <li>Virtual AP (VAP) support added</li>     <li><a class="external text" title="https://docs.google.com/spreadsheet/ccc?key=0AojFUXcbH0ROdHgwYkFHbkRUdV9hVWljVWl5SXkxbFE&hl=en_US" href="https://docs.google.com/spreadsheet/ccc?key=0AojFUXcbH0ROdHgwYkFHbkRUdV9hVWljVWl5SXkxbFE&hl=en_US" rel="nofollow">more wireless cards supported with the FreeBSD 8.1 base</a> </li>    </ul>    <a id="Server_Load_Balancing" name="Server_Load_Balancing"></a>    <h3><span class="mw-headline">Server Load Balancing </span></h3>    <ul>     <li>relayd and its more advanced capabilities replace slbd. </li>    </ul>    <a id="Other" name="Other"></a>    <h3><span class="mw-headline">Other </span></h3>    <ul>     <li>L2TP V*N added</li>     <li>DNS lookup page added</li>     <li>PFTop and Top in GUI - realtime updates</li>     <li>Config History now includes a diff feature</li>     <li>Config History has download buttons for prior versions</li>     <li>Config History has mouseover descriptions</li>     <li>CLI filter log parser (/usr/local/bin/filterparser)</li>     <li>Switched to PHP 5.2.x</li>     <li>IGMP proxy added</li>     <li>Multiple Dynamic DNS account support, including full multi-WAN support and multi-accounts on each interface.      <ul>       <li>DynDNS Account Types supported are:        <ul>         <li>DNS-O-Matic</li>         <li>DynDNS (dynamic)</li>         <li>DynDNS (static)</li>         <li>DynDNS (custom)</li>         <li>DHS</li>         <li>DyNS</li>         <li>easyDNS</li>         <li>No-IP</li>         <li>ODS.org</li>         <li>ZoneEdit</li>         <li>Loopia</li>         <li>freeDNS</li>         <li>DNSexit</li>         <li>OpenDNS</li>         <li>Namecheap.com</li>        </ul> </li>      </ul> </li>     <li>More interface types (V*Ns, etc) available for packet capture</li>     <li>DNS Forwarder is used by the firewall itself for DNS resolution (configurable) so the firewall benefits from faster resolution via multiple concurrent queries, sees all DNS overrides/DHCP registrations, etc.</li>     <li>DHCP Server can now handle arbitrary numbered options, rather than only options present in the GUI.</li>     <li>Automatic update now also works for NanoBSD as well as full installs</li>     <li>More configuration sections can be synchronized via XMLRPC between CARP nodes.</li>    </ul>    <p><a href="/misc/goto?guid=4958196551965855427" target="_blank"></a></p>